Popular DNA testing companies like 23andMe and Ancestry.com are being investigated by the Federal Trade Commission over their policies for handling personal info and genetic data, and how they share that info with third parties.
The probe was revealed in the agency’s response to a Freedom of Information Act request by Fast Company last month seeking records pertaining to 23andMe and Ancestry.com. The FTC denied the FOIA request, saying in its letter that any records “would be exempt from disclosure . . . because disclosure of that material could reasonably be expected to interfere with the conduct of the Commission’s law enforcement activities.” The agency cited an exemption—5 U.S.C. 552(b)(7)(A)—which has often been interpreted by journalists as the disclosure of an investigation.
A spokesperson for the agency declined comment, saying that “FTC investigations are non-public, and so typically we do not comment on an investigation or even whether we are investigating.”
Privacy issues in the use of such DNA testing kits came to the forefront last month with the arrest of the notorious Golden State Killer, when it was revealed that police had used data from GEDMatch, a genealogy research site where users upload genealogical and genetic information, to help identify the suspect. When contacted by Fast Company, spokespersons for 23andMe and Ancestry.com said they’re rarely approached by law enforcement for genetic data.
Yet as the DNA testing market has exploded—worth approximately $99 million in 2017 and expected to increase to $310 million by 2022—concerns have also grown about the use of genetic data. Many consumers don’t realize that their personal info may be shared with third-party companies and there have been complaints raised that the companies’ terms of service are not always clear about their policies in such matters.
There are also growing concerns about the security of personal DNA data. On Monday, Israel-based DNA testing service MyHeritage announced a security researcher had uncovered tens of millions of account details for some 92 million customers, including email addresses and hashed passwords. The company said it had no reason to believe user data was compromised, and claimed that users’ DNA data is stored on separate systems.
Joel Winston, an attorney who specializes in privacy law and formerly served as a deputy attorney general for the state of New Jersey, said he welcomed the FTC probe. “DNA data is the most important data you own. Your DNA is you,” he wrote in an email. “An enforcement action by the FTC would send a clear message that for-profit companies cannot use the fine print to quietly take an ownership interest in their customers’ DNA. Companies must not be permitted to mislead, deceive, or confuse customers about how their DNA data is being collected, analyzed, and monetized.
“If the FTC finds that any DNA testing company has failed to obtain the full, informed consent of its customers, then the FTC would be expected to prohibit the company from using, sharing, or selling any such DNA data in its possession,” he said.
The FTC probe appears to have been prompted by a letter from Sen. Chuck Schumer last November, in which the senate minority leader expressed concern that popular at-home DNA test kits could be putting consumer privacy at great risk:
“Besides, putting your most personal genetic information in the hands of third parties for their exclusive use raises a lot of concerns, from the potential for discrimination by employers all the way to health insurance. That’s why I am asking the Federal Trade Commission to take a serious look at this relatively new kind of service and ensure that these companies have clear, fair privacy policies and standards for all kinds of at-home DNA test kits. We don’t want to impede research but we also don’t want to empower those looking to make a fast buck or an unfair judgement off your genetic information. We can find the right balance here, and we must.”
In response, the agency wrote to Schumer, saying that while it “cannot comment on whether we are investigating specific companies,” it shared his desire for companies to be transparent about the collection and use of their genetic data.
An Ancestry spokesperson declined to comment on any investigation or whether it has been contacted by the FTC, but emphasized:
“Protecting our customers’ privacy is our highest priority—starting with our belief that customers should always maintain ownership and control over their own data. We do not and will not sell DNA data to insurers, employers, health providers, or third-party marketers and will only share DNA data with researchers if the customer has consented. Customers can request that their data and accounts be deleted at any time.”
A spokesperson for 23andMe indicated on Friday that a comment was forthcoming, but has yet to respond as of Tuesday afternoon.
It wouldn’t be the first time the agency took action to protect consumers of genetic tests. In 2014, it filed charges against Genelink Inc. and L’Oréal for “purported personalized genomics products,” related to their marketing of nutrigenetic and dermagenetic products. The two companies settled the charges later that year.
With reporting by Alex Pasternack.